NAT or Not to NAT; how to do an Internet connection for a 100-PC company ?

Discussion in 'Cisco' started by Al Dykes, Oct 28, 2003.

  1. Al Dykes

    Al Dykes Guest

    My company needs to get a real internet connection, there is an
    immediate requirements for incomming VPN and netmeeting. Is there a
    way to use a small block of addresses and NAT instead of gettting a
    /25 address block ?

    This is my first cisco experience, I'm looking at a 26xx router
    and a PIX 501 firewall.

    Thanks


    --
    Al Dykes
    -----------
    Al Dykes, Oct 28, 2003
    #1
    1. Advertising

  2. In article <bnmltt$995$>, Al Dykes <> wrote:
    :My company needs to get a real internet connection, there is an
    :immediate requirements for incomming VPN and netmeeting. Is there a
    :way to use a small block of addresses and NAT instead of gettting a
    :/25 address block ?

    :This is my first cisco experience, I'm looking at a 26xx router
    :and a PIX 501 firewall.

    How much VPN do you expect to do? The 501 is only good for 10 VPN
    connections. If you might need more VPN connections than that,
    then the PIX 506E should be considered.

    Please see my PIX model comparison list at
    http://www.ibd.nrc.ca/~roberson/cisco_pix_models.txt


    With regards to Netmeeting, the PIX 6.2(3) release notes say,

    ILS Fixup

    PIX Firewall software Version 6.2 provides an Internet Locator
    Service (ILS) fixup to support NAT for ILS and Lightweight
    Directory Access Protocol (LDAP). Also, with the addition of this
    fixup, the PIX Firewall supports H.323 session establishment by
    Microsoft NetMeeting. Microsoft NetMeeting, SiteServer, and Active
    Directory products leverage ILS, which is a directory service, to
    provide registration and location of endpoints. ILS supports the
    LDAP protocol and is LDAPv2 compliant.

    --
    I wrote a hack in microcode,
    with a goto on each line,
    it runs as fast as Superman,
    but not quite every time! -- Dave Touretzky and Don Libes
    Walter Roberson, Oct 28, 2003
    #2
    1. Advertising

  3. Al Dykes

    Al Dykes Guest

    In article <bnmnnq$f0$>,
    Walter Roberson <-cnrc.gc.ca> wrote:
    >In article <bnmltt$995$>, Al Dykes <> wrote:
    >:My company needs to get a real internet connection, there is an
    >:immediate requirements for incomming VPN and netmeeting. Is there a
    >:way to use a small block of addresses and NAT instead of gettting a
    >:/25 address block ?
    >
    >:This is my first cisco experience, I'm looking at a 26xx router
    >:and a PIX 501 firewall.
    >
    >How much VPN do you expect to do? The 501 is only good for 10 VPN
    >connections. If you might need more VPN connections than that,
    >then the PIX 506E should be considered.


    10 is a good number.

    Do I read the paragraph, below, to say that I can do incomming
    netmeeting thru a NAT box to a PC with an RFC1918 address ? Assuming
    the answer is yes, what else (LDAP server ?) is required ?

    Thanks

    >
    >Please see my PIX model comparison list at
    >http://www.ibd.nrc.ca/~roberson/cisco_pix_models.txt
    >
    >
    >With regards to Netmeeting, the PIX 6.2(3) release notes say,
    >
    > ILS Fixup
    >
    > PIX Firewall software Version 6.2 provides an Internet Locator
    > Service (ILS) fixup to support NAT for ILS and Lightweight
    > Directory Access Protocol (LDAP). Also, with the addition of this
    > fixup, the PIX Firewall supports H.323 session establishment by
    > Microsoft NetMeeting. Microsoft NetMeeting, SiteServer, and Active
    > Directory products leverage ILS, which is a directory service, to
    > provide registration and location of endpoints. ILS supports the
    > LDAP protocol and is LDAPv2 compliant.
    >
    >--
    > I wrote a hack in microcode,
    > with a goto on each line,
    > it runs as fast as Superman,
    > but not quite every time! -- Dave Touretzky and Don Libes



    --
    Al Dykes
    -----------
    Al Dykes, Oct 28, 2003
    #3
  4. In article <bnmot3$h2e$>, Al Dykes <> wrote:
    :Do I read the paragraph, below, to say that I can do incomming
    :netmeeting thru a NAT box to a PC with an RFC1918 address ? Assuming
    :the answer is yes, what else (LDAP server ?) is required ?

    I -think- that is what it means. There used to be a problem with
    incoming H.323 not being supported, and when I went looking for the
    documentation of that, I found that claim that starting in 6.2 something
    they added ILS support ... so it just might work now.


    If you look closely, you notice that I only quoted Cisco, rather
    than referring to my own experience. We've never tried it.
    --
    Oh, yeah, an African swallow maybe, but not a European swallow.
    That's my point.
    Walter Roberson, Oct 28, 2003
    #4
  5. Al Dykes

    Al Dykes Guest

    In article <bnmq4j$1ga$>,
    Walter Roberson <-cnrc.gc.ca> wrote:
    >In article <bnmot3$h2e$>, Al Dykes <> wrote:
    >:Do I read the paragraph, below, to say that I can do incomming
    >:netmeeting thru a NAT box to a PC with an RFC1918 address ? Assuming
    >:the answer is yes, what else (LDAP server ?) is required ?
    >
    >I -think- that is what it means. There used to be a problem with
    >incoming H.323 not being supported, and when I went looking for the
    >documentation of that, I found that claim that starting in 6.2 something
    >they added ILS support ... so it just might work now.
    >
    >
    >If you look closely, you notice that I only quoted Cisco, rather
    >than referring to my own experience. We've never tried it.
    >--


    I appreciate that distinction.

    A little googling found

    " NAT support for NetMeeting Directory" on cisco's web site. I'll
    have to give it a carefull read.

    http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft
    /121t/121t5/dtnatils.htm


    Thanks

    --
    Al Dykes
    -----------
    Al Dykes, Oct 28, 2003
    #5
  6. Walter Roberson, Oct 28, 2003
    #6
  7. Al Dykes

    Brian Bergin Guest

    (Al Dykes) wrote:

    |
    |10 is a good number.

    Read the 501 specs. It is ~$400 for 10 connections or ~$650 for 50. Both have
    3DES now. You state you have 100 connections. The 501 also stops at 50 users.
    That's not 50 inbound that's 50 total connections. The 506E is ~$950 and
    supports unlimited users and 25 VPN sessions. 501's support 10 VPN sessions
    total and they count against your total users. Get a 506E, it has a faster CPU
    and you won't run out of users. You'll be much happier. (then get a 501 for
    home and use Cisco's point-to-point VPN between them)

    Thanks...
    Brian Bergin

    I can be reached via e-mail at
    cisco_dot_news_at_comcept_dot_net.

    Please post replies to the group so all may benefit.
    Brian Bergin, Oct 29, 2003
    #7
  8. Al Dykes

    Al Dykes Guest

    In article <>,
    Brian Bergin <> wrote:
    > (Al Dykes) wrote:
    >
    >|
    >|10 is a good number.
    >
    >Read the 501 specs. It is ~$400 for 10 connections or ~$650 for 50. Both
    >have
    >3DES now. You state you have 100 connections. The 501 also stops at 50
    >users.
    >That's not 50 inbound that's 50 total connections. The 506E is ~$950 and
    >supports unlimited users and 25 VPN sessions. 501's support 10 VPN

    sessions
    >total and they count against your total users. Get a 506E, it has a
    >faster CPU and you won't run out of users. You'll be much happier.
    >(then get a 501 for home and use Cisco's point-to-point VPN between them)
    >




    I thought there was an unlimited license for the 501. Agreed
    that the 506E isn't lot's more. Thanks.


    --
    Al Dykes
    -----------
    Al Dykes, Oct 29, 2003
    #8
  9. In article <bnn18f$5mu$>, Al Dykes <> wrote:
    :I thought there was an unlimited license for the 501. Agreed
    :that the 506E isn't lot's more. Thanks.

    There is. It's Cisco part PIX-501-UL-BUN-K9, and street prices
    start about $US700. Street prices on PIX-506E-BUN-K9 start about
    $US900. The 506E is more than 2 1/2 times faster, has unlimited
    users, encrypts 5 to 6 times as quickly, and supports 25 VPN connections.
    --
    This signature intentionally left... Oh, darn!
    Walter Roberson, Oct 29, 2003
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. deadbolt67
    Replies:
    3
    Views:
    2,759
  2. {{{{{Welcome}}}}}
    Replies:
    0
    Views:
    404
    {{{{{Welcome}}}}}
    Sep 8, 2005
  3. Mike Easter

    Internet connection problems-modem or cable company?

    Mike Easter, Dec 22, 2007, in forum: Computer Support
    Replies:
    6
    Views:
    1,005
    The Old Sourdough
    Dec 24, 2007
  4. ~misfit~

    When is 100% not 100%?

    ~misfit~, Dec 6, 2003, in forum: NZ Computing
    Replies:
    2
    Views:
    288
    ~misfit~
    Dec 6, 2003
  5. Giuen
    Replies:
    0
    Views:
    684
    Giuen
    Sep 12, 2008
Loading...

Share This Page